thunderbottom/flakes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8f4c7fe4cc
flakes/modules/nixos/hardware/initrd-luks/default.nix
Chinmay D. Pai 3a3a8afe30
feat: add nixos configuration based on snowfall-lib 
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
2024-09-02 18:31:19 +05:30

62 lines
2.0 KiB
Nix
Raw Blame History

{
config,
lib,
...
}: {
options.snowflake.hardware.initrd-luks = {
enable = lib.mkEnableOption "Enable initrd-luks hardware configuration";
sshPort = lib.mkOption {
type = lib.types.int;
default = 22;
description = "SSH Port to use for initrd-luks decryption";
};
shell = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Shell to use for initrd-luks decryption";
};
hostKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = ["/etc/ssh/ssh_host_ed25519_key"];
description = "Path to the host keys to use for initrd-luks decryption";
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "List of authorized keys for initrd-luks decyption";
};
availableKernelModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "List of available kernel modules for initrd-luks decryption";
};
};
config = lib.mkIf config.snowflake.hardware.initrd-luks.enable {
# Enable remote LUKS unlocking.
# This allows remote SSH to unlock LUKS encrypted root.
# $ ssh root@<ip>
# While in the shell, run `systemctl default` or `systemd-ask-password`
# to trigger the unlock prompt.
boot = {
initrd.network = {
flushBeforeStage2 = true;
enable = true;
ssh = {
enable = true;
port = config.snowflake.hardware.initrd-luks.sshPort;
inherit (config.snowflake.hardware.initrd-luks) hostKeys;
inherit (config.snowflake.hardware.initrd-luks) authorizedKeys;
};
};
# initrd.systemd.users.root.shell = config.snowflake.hardware.initrd-luks.shell;
# Required for the network card that
# requires a kernel module to work.
initrd.availableKernelModules = config.snowflake.hardware.initrd-luks.availableKernelModules;
# Use DHCP to figure out the IP address.
kernelParams = ["ip=dhcp"];
};
};
}
Reference in New Issue View Git Blame Copy Permalink